Microsoft said it will advise customers on its website to install the security software as an interim measure, buying it time to fix the bug and release a new, more secure version of Internet Explorer. The free security tool, which is known as the Enhanced Mitigation Experience Toolkit, or EMET, is available on Microsoft's website.

Eric Romang, a researcher in Luxembourg, discovered the flaw in Internet Explorer on Friday, when his PC was infected by a piece of malicious software known as Poison Ivy that hackers use to steal data or take remote control of PCs.

When he analyzed the infection, he learned that Poison Ivy had gotten on to his system by exploiting a previously unknown bug, or "zero-day" vulnerability, in Internet Explorer.

"Any time you see a zero-day like this, it is concerning," said Liam O Murchu, a research manager with anti-virus software maker Symantec Corp. "There are no patches available. It is very difficult for people to protect themselves."

Zero-day vulnerabilities are rare, mostly because they are hard to identify.